I am seeing millions (literally) of these in the logs of my
machines:
sshd[30216]: Failed password for root from 203.71.62.9 port 35778 ssh2
I understand that this is some kind of virus, but it's not making me
very happy because logcheck and and some of our IDS systems are
going haywire, creating streams of false alarms.
Other than blacklisting the IPs (which is a race I am going to
lose), what are people doing? Are there any distinctive marks in the
SSH login attempt that one could filter on?
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:&quot; net@madduck
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: madduck.bogus@madduck.net
"i wish there was a knob on the tv to turn up the intelligence.
there's a knob called 'brightness', but it doesn't seem to work."
-- gallagher